be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c

General

Target

be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
Size

60KB
MD5

8277b65d3e0c37d1c5857776a7d8f2c6
SHA1

0d4ef0603abfaf592a4bfc1385f3a5cb511ceea8
SHA256

be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c
SHA512

9a006ee5d3ca1f534874cff906a6e45c147e4e062c52be40e628942f192cdae96dfff3a6c320cd5ed0338449c922aea197f056356f1b7b63d01515c50092a5fc
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATBHfBo8o3PV15Rn:V7Zf/FAxTWoJJZENTBHfiP3zemtjF

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4650) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4784-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.exe	upx
behavioral2/memory/4784-648-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Loader.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Dataflow.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Registry.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsBase.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemCore.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Contracts.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.Vectors.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsBase.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-math-l1-1-0.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsFormsIntegration.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\desktop.ini.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Annotations.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClientSideProviders.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsBase.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy.jar.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClient.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsFormsIntegration.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jli.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul.xrm-ms.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\7-Zip\7zG.exe.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TextWriterTraceListener.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jpeg.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe

C:\Users\Admin\AppData\Local\Temp\be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
"C:\Users\Admin\AppData\Local\Temp\be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

Filesize
60KB

MD5
5f8e75a98e5c0fa836c8af8deba2d25e

SHA1
4b89ad5a494e4035f915b9b9567507ca2c9b0595

SHA256
279c0acdc8596c8bb1a4d961716b809106a901ee5b1da4ade0b2b2c716d75678

SHA512
fb88a70af26f7f221773a34e2bbcfc83f95561b257982b27ec81b344a478fce387d55bc9c25ec6dfd0305a2f9128063462025b8247ebbdd7e5838057466066b7

Download Submit
C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
159KB

MD5
4b8bf0516809fc195cd3d2cf96246457

SHA1
4b549ed93a6d96dc6a61094c6069195262672078

SHA256
652a53a6cb2854733851a2600cc67c59eff93b80b54909596ec308f78733d737

SHA512
fd6bc230d0a1caa46f8f6cd250cb8c0fdd4bf9e949f835f51ae09a93241f0a42309ae3f93d4052182e5d4b125a936ce1218b1043306ba0f171ce09504e810587

Download Submit
memory/4784-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4784-648-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads